Closed
Bug 1499108
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ fetch_add] with WRITE of size 8
Categories
(Core :: Storage: IndexedDB, defect, P1)
Core
Storage: IndexedDB
Tracking
()
RESOLVED
FIXED
mozilla68
People
(Reporter: jkratzer, Assigned: janv)
References
(Blocks 3 open bugs)
Details
(4 keywords, Whiteboard: [fixed by bug 1538619][adv-main67+][adv-esr60.7+])
Found while fuzzing mozilla-central rev 7a0840d60252.
I don't currently have a working testcase but will update if one becomes available.
==13706==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000349a88 at pc 0x7f05bba1debb bp 0x7f0557eb7cb0 sp 0x7f0557eb7ca8
WRITE of size 8 at 0x616000349a88 thread T33 (IPDL Background)
#0 0x7f05bba1deba in fetch_add src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:618:16
#1 0x7f05bba1deba in operator++ src/obj-firefox/dist/include/nsISupportsImpl.h:343
#2 0x7f05bba1deba in AddRef src/dom/indexedDB/ActorsParent.cpp:6379
#3 0x7f05bba1deba in AddRef src/obj-firefox/dist/include/mozilla/RefPtr.h:44
#4 0x7f05bba1deba in AddRef src/obj-firefox/dist/include/mozilla/RefPtr.h:415
#5 0x7f05bba1deba in RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:118
#6 0x7f05bba1deba in Construct<mozilla::dom::indexedDB::(anonymous namespace)::Database *&> src/obj-firefox/dist/include/nsTArray.h:554
#7 0x7f05bba1deba in AppendElement<mozilla::dom::indexedDB::(anonymous namespace)::Database *&, nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:2577
#8 0x7f05bba1deba in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::AbortOperations(nsTSubstring<char> const&) src/dom/indexedDB/ActorsParent.cpp:17659
#9 0x7f05bba1f3b3 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads() src/dom/indexedDB/ActorsParent.cpp:17735:3
#10 0x7f05bb457557 in mozilla::dom::quota::QuotaManager::Shutdown() src/dom/quota/ActorsParent.cpp:3668:22
#11 0x7f05bb45708e in mozilla::dom::quota::QuotaManager::ShutdownRunnable::Run() src/dom/quota/ActorsParent.cpp:2834:19
#12 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#13 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#14 0x7f05b3912004 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:364:5
#15 0x7f05b381325c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#16 0x7f05b381325c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#17 0x7f05b381325c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#18 0x7f05b26f19f3 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11
#19 0x7f05d61dd008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x7f05d5e256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#21 0x7f05d4ea241c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
0x616000349a88 is located 520 bytes inside of 528-byte region [0x616000349880,0x616000349a90)
freed by thread T33 (IPDL Background) here:
#0 0x563709240372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7f05bb9e9cb8 in mozilla::dom::indexedDB::(anonymous namespace)::VersionChangeTransaction::~VersionChangeTransaction() src/dom/indexedDB/ActorsParent.cpp:15706:1
#2 0x7f05bb977126 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::SendPreprocessInfoOrResults(bool) src/dom/indexedDB/ActorsParent.cpp:23511:5
#3 0x7f05bb96e718 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::Run() src/dom/indexedDB/ActorsParent.cpp
#4 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#5 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#6 0x7f05b3912004 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:364:5
#7 0x7f05b381325c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#8 0x7f05b381325c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#9 0x7f05b381325c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#10 0x7f05b26f19f3 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11
#11 0x7f05d61dd008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#12 0x7f05d5e256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
previously allocated by thread T33 (IPDL Background) here:
#0 0x5637092406b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x563709271acd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7f05bb963cb4 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
#3 0x7f05bb963cb4 in mozilla::dom::indexedDB::(anonymous namespace)::OpenDatabaseOp::EnsureDatabaseActor() src/dom/indexedDB/ActorsParent.cpp:22292
#4 0x7f05bb942de2 in mozilla::dom::indexedDB::(anonymous namespace)::OpenDatabaseOp::BeginVersionChange() src/dom/indexedDB/ActorsParent.cpp:21939:3
#5 0x7f05bb936727 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() src/dom/indexedDB/ActorsParent.cpp
#6 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#7 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#8 0x7f05b3912004 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:364:5
#9 0x7f05b381325c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#10 0x7f05b381325c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#11 0x7f05b381325c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#12 0x7f05b26f19f3 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11
#13 0x7f05d61dd008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#14 0x7f05d5e256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
Thread T33 (IPDL Background) created by T0 here:
#0 0x56370922973d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
#1 0x7f05d61d9d45 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7f05d61d992e in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7f05b26f4988 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:719:8
#4 0x7f05b2700d7e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:485:22
#5 0x7f05b2705687 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:143:45
#6 0x7f05b38d7912 in NS_NewNamedThread<16> src/obj-firefox/dist/include/nsThreadUtils.h:75:10
#7 0x7f05b38d7912 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() src/ipc/glue/BackgroundImpl.cpp:1015
#8 0x7f05b38dd16a in RunOnMainThread src/ipc/glue/BackgroundImpl.cpp:1330:30
#9 0x7f05b38dd16a in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() src/ipc/glue/BackgroundImpl.cpp:1351
#10 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#11 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#12 0x7f05b26f70fa in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:953:22)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#13 0x7f05b26f70fa in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:953
#14 0x7f05b485ad6b in applyImpl<nsIThread, nsresult (nsIThread::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
#15 0x7f05b485ad6b in apply<nsIThread, nsresult (nsIThread::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1197
#16 0x7f05b485ad6b in mozilla::detail::RunnableMethodImpl<RefPtr<nsIThread>, nsresult (nsIThread::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1242
#17 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#18 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#19 0x7f05b270166e in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:558:36)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#20 0x7f05b270166e in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) src/xpcom/threads/nsThreadManager.cpp:558
#21 0x7f05b27357e1 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#22 0x7f05b495cf3f in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1723:12
#23 0x7f05b495cf3f in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1268
#24 0x7f05b495cf3f in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1232
#25 0x7f05b496398f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1019:12
#26 0x7f05c26c3b3b in CallJSNative src/js/src/vm/Interpreter.cpp:461:15
#27 0x7f05c26c3b3b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:553
#28 0x7f05c26acabe in CallFromStack src/js/src/vm/Interpreter.cpp:613:12
#29 0x7f05c26acabe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3451
#30 0x7f05c2691d8b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:440:12
#31 0x7f05c26c464e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:580:15
#32 0x7f05c26c63e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:626:10
#33 0x7f05c1b89382 in js::fun_apply(JSContext*, unsigned int, JS::Value*) src/js/src/vm/JSFunction.cpp:1379:12
#34 0x7f05c26c3b3b in CallJSNative src/js/src/vm/Interpreter.cpp:461:15
#35 0x7f05c26c3b3b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:553
#36 0x7f05c26acabe in CallFromStack src/js/src/vm/Interpreter.cpp:613:12
#37 0x7f05c26acabe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3451
#38 0x7f05c2691d8b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:440:12
#39 0x7f05c26c464e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:580:15
#40 0x7f05c26c63e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:626:10
#41 0x7f05c17a00b0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2915:12
#42 0x7f05b493d4af in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1206:23
#43 0x7f05b2736ee8 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
#44 0x7f05b2735dba in SharedStub (/home/ubuntu/firefox/libxul.so+0x4701dba)
#45 0x7f05c09fe183 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:1027:11
#46 0x7f05c09d328e in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4607:16
#47 0x7f05c09d6c9b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4922:8
#48 0x7f05c09d8853 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5014:21
#49 0x5637092709ac in do_main src/browser/app/nsBrowserApp.cpp:233:22
#50 0x5637092709ac in main src/browser/app/nsBrowserApp.cpp:315
#51 0x7f05d4dbb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:618:16 in fetch_add
Shadow bytes around the buggy address:
0x0c2c80061300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c80061310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80061320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80061330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80061340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c80061350: fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c80061360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c80061370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80061380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80061390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c800613a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13706==ABORTING
Updated•6 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
Updated•6 years ago
|
Assignee: nobody → jvarga
Priority: -- → P1
Comment 3•6 years ago
|
||
This looks related to bug 1499719: the memory was freed under similar circumstances and the illegal access happens when aborting operations.
Assignee | ||
Comment 4•6 years ago
|
||
Yeah, those two look very similar.
Assignee | ||
Comment 5•6 years ago
|
||
This might get fixed in bug 1538619.
Reporter | ||
Comment 6•6 years ago
|
||
(In reply to Jan Varga [:janv] from comment #5)
This might get fixed in bug 1538619.
Jan, can you CC me on this?
Assignee | ||
Comment 7•6 years ago
|
||
This should be fixed by patch in bug 1538619.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Updated•6 years ago
|
Group: dom-core-security → core-security-release
status-firefox66:
--- → wontfix
status-firefox67:
--- → affected
status-firefox68:
--- → fixed
status-firefox-esr60:
--- → affected
Updated•6 years ago
|
Whiteboard: [fixed by bug 1538619]
Comment 8•6 years ago
|
||
Patch in bug 1538619 was uplifted to beta 67.0b12.
Comment 9•6 years ago
|
||
(In reply to Liz Henry (:lizzard) (use needinfo) from comment #8)
Patch in bug 1538619 was uplifted to beta 67.0b12.
And to esr, for ESR 60.7.
Updated•6 years ago
|
Whiteboard: [fixed by bug 1538619] → [fixed by bug 1538619][adv-main67+][adv-esr60.7+]
Updated•5 years ago
|
Blocks: asan-maintenance
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•